Listen to Jason Miller on the Federal Drive.

As part of the preparation to implement cybersecurity continuous monitoring,
agencies have one week to send the Office of Management and Budget their initial
ideas of how they will move to a dynamic approach to protecting their computers,
data and networks.

Under the OMB memo from
November, the administration wants agency strategies by Feb. 28 on how they plan
to implement information security continuous monitoring by 2017. Along with the
strategy, agencies are to begin buying products and services to implement phase
one of continuous monitoring.

The General Services Administration, working as the acquisition arm of DHS, awarded task orders to four companies worth a combined
$60.4 million for products in January under the continuous diagnostics and
mitigation (CDM) contract.

These initial deadlines kick off a summer of target dates around the CDM effort to
improve governmentwide cybersecurity.

By April 30, agencies have to submit to OMB an analysis of human resources skill
gaps and the names of those in charge of implementing this effort.

The personnel challenges continue to be among the hardest obstacles to overcome.

"There's a lot of human capital employed on these cybersecurity tasks throughout
all these agencies, whether it's direct services provisions or if it's
intellectual discussions that are brought to bear," said Peter Gouldmann, the
State Department's director of information risk programs, at a luncheon panel
sponsored by AFFIRM Thursday in Washington. "Sometimes it feels like we are on the
leading edge, and industry has quite caught up with us. Other times it's the other
way around. What I would look for would be a meaningful partnering engagement on
the intellectual side of this problem and the creativity you speak of. Everybody
is a collector of their experience and brings their broad experience to play, and
we'd like to leverage a lot of that and force multiply that. It's not enough to
have that handful of cybersecurity experts at an agency. We really need hundreds,
and it's sometimes difficult to get them. We grow often within, but we'd like to
ask a general call to our industry partners to focus on that human capital just
like we are."

Dashboard award imminent

By March 31, the National Institute of Standards and Technology will publish
guidance establishing a process and criteria for agencies to conduct ongoing
assessments and authorizations (A&A) to replace the certification and
accreditation process under the Federal Information Security Management Act
(FISMA).

Two months later, agencies need to be deploying information security continuous
monitoring for all systems and ensure all systems have an authority to operate
before initiating the CDM processes.

So over the next three months, OMB, NIST and other agencies have a lot of
preparation for the changeover.

Agencies are waiting for a second cyber contract award for the dashboard that will
collect and display cyber health data.

Steve Viar, the director of FEDSIM in GSA's Federal Acquisition Service, said the
task order under the Alliant small business governmentwide acquisition contract
should be awarded in the next few weeks.

But even after GSA awards the contract, agencies still will have to come up with
metrics for the dashboard.

Margie Graves, the deputy CIO at the Homeland Security Department, said the
dashboard and agency surveys filled out months ago will help bring, for the first
time, a unified view of cybersecurity.

"We're all going to be involved in designing the metrics that will go on that
dashboard, and what we want to make sure we do as we walk through that development
is to pick those things that will be more relevant to us in order for us to be
able to take those actions," Graves said. "When we exchange those metrics and look
across government, we are able to derive themes and conclusions. If you see a
certain effect of an attack, being able to know what might be the root cause of
that and being able to attack it from the root cause perspective."

Graves says an interagency working group is just beginning the metric development
process.

Ahead of the pack

While agencies are preparing for the move to dynamic cybersecurity, State and DHS
already have taken those initial steps.

State, for example, widely is seen as the model for the CDM concept.

Gouldmann said State will have to make some changes to its current dashboard set
up, called iPost. He's unsure exactly what those changes will be because GSA
hasn't awarded a contract yet, and the metrics haven't been determined.

At the same time, however, he said State used a lot of custom coding and a lot of
design, so using the standard set of vendors under the CDM contract will be
beneficial to how the department secures its networks.